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Abstract 

Wc consider a framework in which a group of agents communicates 
by means of emails, with the possibility of replies, forwards and blind 
carbon copies (BCC). We study the epistemic consequences of such 
email exchanges by introducing an appropriate epistemic language and 
semantics. This allows us to determine when a group of agents acquires 
common knowledge of the formula expressing that an email was sent. 

We also show that in our framework from the epistemic point of 
view the BCC feature of emails cannot be simulated using messages 
without BCC recipients. Finally, we clarify the notion of a causal 
relationship between emails using the concept of properly terminating 
email exchanges. 



1 Introduction 

1.1 Motivation 

Email is by now a prevalent form of communication. Its advantages speak 
for themselves. However, we rarely pause to reflect on its undesired conse- 
quences. Just to mention a few. 

One occasionally reads about scandals caused by email leaks, see, e.g., 
[3]. On a smaller scale, users of the blind carbon copy feature (BCC) are 
sometimes confronted with an undesired situation in which a BCC recipient 
of an email reveals his status to others by using the reply-all feature. Fur- 
ther, many email systems allow one to edit a forwarded email, in particular 
allowing one to modify the content or the identity of the sender and of the 
recipients list. 

Recently, a main Dutch daily, NRC Handelsblad, reported, see |10| . that 
Wouter Bos, the Deputy Prime minister in the previous Dutch government, 



'Centrum for Mathematics and Computer Science (CWI), Science Park 123, 1098 XG 
Amsterdam, the Netherlands, and University of Amsterdam 



1 



revealed the extensive network of his contacts by sending out his new email 
address to about four hundred of influential recipients whose email addresses 
were erronously put in the CC list instead of the BCC list. The list was 
leaked to the newspaper. 

Epistemic consequences of email exchanges are occasionally raised by 
researchers in various contexts. For instance, the author of [2] mentions 
'some issues of email ethics' by discussing a case of an email discussion in 
which some researchers were not included (and hence could not build upon 
the reported results). 

Then consider the following recent quotation from a blog in which the 
writers call for a boycott of a journal XYZ: "We are doing our best to 
make the misconduct of the Editors-in-Chief a matter of common knowledge 
within the [...] community in the hope that everyone will consider whatever 
actions may be appropriate for them to adopt in any future associations 
with XYZ" . 

So when studying email exchanges a natural question arises: what are 
their knowledge-theoretic consequences? To put it more informally: after an 
email exchange took place, who knows what? Motivated by the above blog 
entry we can also ask: can sending emails to more and more new recipients 
ever create common knowledge? (Our Main Theorem shows that the answer 
is "No.") 

To be more specific consider the following example to which we shall 
return later. 

Example 1. Assume the following email exchange involving four people, 
Alice, Bob, Clare and Daniel: 

• Alice and Daniel got an email from Clare, 

• Alice forwarded it to Bob, 

• Bob forwarded Alice's email to Clare and Daniel with a BCC to Alice, 

• Alice forwarded the last email to Clare and Daniel with a BCC to Bob. 
The question is: 

Do all four people involved in this exchange have common knowledge of 
Bob's email? □ 

To answer such questions we study email exchanges focusing on relevant 
features that we encounter in most email systems. 

More specifically, we study the following form of email communication: 
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• each email has a sender, a non-empty set of regular recipients and 
a (possibly empty) set of blind carbon copy (BCC) recipients. Each 
recipient receives a copy of the message and is only aware of the regular 
recipients and not of the BCC recipients (except himself), 

• in the case of a reply to or a forward of a message, the unaltered 
original message is included, 

• in a reply or a forward, one can append new information to the original 
message one replies to or forwards. 

As a result, the email exchanges, as studied here, are essentially different 
from other forms of communication, in particular from multicasting, i.e., 
sending a message to a group of recipients. Also, the resulting model of 
email communication differs from the ones that were studied in other papers 
in which only limited aspects of emails have been considered. These papers 
are discussed below. 

1.2 Contributions and plan of the paper 

To study the relevant features of email communication we introduce in the 
next section a carefully chosen language describing emails. We make a dis- 
tinction between a message, which is sent to a public recipient list, and 
an email, which consists of a message and a set of BCC recipients. This 
distinction is relevant because a forward email contains an earlier message, 
without the list of BCC recipients. We also introduce the notion of a legal 
state that captures the fact that there is a causal ordering on the emails. 
For example, an email needs to precede any forward of it. 

To reason about the knowledge of the agents after an email exchange 
has taken place we introduce in Section [3] an appropriate epistemic lan- 
guage. Its semantics takes into account the uncertainty of the recipients 
of an email about its set of BCC recipients and the ignorance about the 
existence of emails that one neither sent nor received. This semantics allows 
us to evaluate epistemic formulas in legal states, in particular the formulas 
that characterize the full knowledge-theoretic effect of an email. 

In Section H] we present the main result of the paper, that clarifies when 
a group of agents can acquire common knowledge of the formula expressing 
the fact that an email has been sent. This characterization in particular 
sheds light on the epistemic consequences of BCC. The proof is given in 
Section 
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Then in Section [6] we show that in our framework BCC cannot be sim- 
ulated using messages without BCC recipients. Finally, in Section [7] we 
provide a characterization of legal states in terms of properly terminating 
email exchanges. This allows us clarify the notion of a causal relationship 
between emails. 

1.3 Related work 

The study of the epistemic effects of communication in distributed systems 
originated in the eighties and led to the seminal book [7J. The relevant liter- 
ature, including [6], deals only with the customary form of communication, 
notably asynchronous send. 

One of the main issues studied in these frameworks has been the analysis 
of the conditions that are necessary for acquiring common knowledge. In 
particular, [8] showed that common knowledge cannot be attained in the 
systems in which the communication is not guaranteed. More recently this 
problem was investigated in [5] for synchronous systems with known bounds 
on message transmission in which processes share a global clock. The au- 
thors proved that in such systems a so-called pivotal event is needed in order 
to obtain common knowledge. This in particular generalizes the previous 
result of [8] concerning acquisition of common knowledge in distributed sys- 
tems with synchronous communication. 

The epistemic effects of other forms of communication were studied in 
numerous papers. In particular, in [12] the communicative acts are assumed 
to consist of an agent j 'reading' an arbitrary propositional formula from 
another agent i. The idea of an epistemic contents of an email is implic- 
itly present in [13], where a formal model is proposed that formalizes how 
communication changes the knowledge of a recipient of the message. 

In [5] a dynamic epistemic logic modelling effects of communication and 
change is introduced and extensively studied. Further, in [T7J an epistemic 
logic was proposed to reason about information flow w.r.t. underlying com- 
munication channels. [TT] surveys these and related approaches and dis- 
cusses the used epistemic, dynamic epistemic and doxastic logics. 

Most related to the work here reported are the following two references. 
[1] studied knowledge and common knowledge in a set up in which the agents 
send and forward propositional formulas in a social network. However, the 
forward did not include the original message and the BCC feature was ab- 
sent. More recently, in [15] explicit messages are introduced in a dynamic 
epistemic logic to analyze a similar setting, though BCC was simulated as 
discussed in Section [H In both papers it is assumed that the number of 
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messages is finite. In contrast, in the setting of this paper the forward in- 
cludes the original message, which results directly in an infinite number of 
messages and emails. 

Finally, the concept of a causal relation between messages in distributed 
systems is due to [S]. Lamport's analysis of causality was extended in the al- 
ready cited paper [1] to synchronous systems with known bounds on message 
transmission. 

2 Preliminaries 

2.1 Messages 

In this section we define the notion of a message. We assume non-empty 
and finite sets of agents Ag = {1, . . ., n} and of notes L. Each agent has a 
set of notes he holds initially. 

We make a number of assumptions. Firstly, we assume that the agents do 
not know which notes belong to the other agents. Furthermore, we assume 
that the agents only exchange emails about the notes. In particular, they 
cannot communicate epistemic formulas. We also assume that an agent can 
send a message to other agents containing a note only if he holds it initially 
or has learnt it through an email he received earlier. 

We inductively define messages as follows, where in each case we as- 
sume that G^0: 

• m := s(i,l,G); the message containing note /, sent by agent i to the 
group G, 

• m := f(i,l.m',G); the forwarding by agent i of the message m! with 
added note I, sent to the group G. 

So the agents can send a message with a note or forward a message with 
a new note appended, where the latter covers the possibility of a reply or a 
reply-all. To allow for the possibility of sending a forward without appending 
a new note, we can assume there exists a note true that is held by all agents 
and identify true.m with m. 

If m is a message, then we denote by S(m) and R(m), respectively, the 
singleton set consisting of the agent sending m and the group of agents 
receiving m. So for the above messages m we have S(m) = {i} and R(m) = 
G. We do allow that S(m) C R(m), i.e., that one sends a message to oneself. 

Special forms of the forward messages can be used to model reply mes- 
sages. Given f(i,l.m,G), using G = S(m) we obtain the customary reply 
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message and using G = S(m)UR(m) we obtain the customary reply-all mes- 
sage. (In the customary email systems there is syntactic difference between 
a forward and a reply to these two groups of agents, but the effect of both 
messages is exactly the same, so we ignore this difference.) In the examples 
we write s(i,l,j) instead of s(i,l,{j}), etc. 

2.2 Emails 

An interesting feature of most email systems is that of the blind carbon copy 
(BCC). We study here the epistemic effects of sending an email with BCC 
recipients and will now include this feature in our presentation. 

In the previous subsection we defined messages that have a sender and a 
group of recipients. Now we define the notion of an email which allows the 
additional possibility of sending a BCC of a message. The BCC recipients 
are not listed in the list of recipients, therefore we have not included them 
in the definition of a message. Formally, by an email we mean a construct 
of the form ms, where m is a message and B C Ag is a possibly empty set of 
BCC recipients. Given a message m we call each email mg a full version 
of m. 

Since the set of BCC recipients is 'secret', it does not appear in a forward. 
That is, the forward of an email mg with added note I is the message 
f(i,l.m,G) or an email f(i,l.m,G)c, in which B is not mentioned. This 
is consistent with the way BCC is handled in the email systems. However, 
this forward may be sent not only by a sender or a regular recipient of tub , 
but also by a BCC recipient. Clearly, the fact that an agent was a BCC 
recipient of an email is revealed at the moment he forwards the message. 

A natural question arises: what if someone is both a regular recipient 
and a BCC recipient of an email? In this case, no one (not even this BCC 
recipient himself) would ever notice that this recipient was also a BCC 
recipient since everyone can explain his knowledge of the message by the fact 
that he was a regular recipient. Only the sender of the message would know 
that this agent was also a BCC recipient. This fact does not change anything 
and hence we assume that for any email mg we have (S(m)L)R(m))nB = 0. 

Re: Example [TJ 

Using the just introduced language we can formalize the story from Ex- 
ample [T] as follows, where we abbreviate Alice to a, etc.: 

• Alice and Daniel got an email from Clare: 
e := m0, where m := s(c, I, {a, d}), 
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• Alice forwarded it to Bob: 

e' := 77i0, where m' := f(a,m,b), 

• Bob forwarded Alice's email to Clare and Daniel with a BCC to Alice: 
e" := m { a }> where m" := f(b, m' , {c, d}), 

• Alice forwarded the last email to Clare and Daniel with a BCC to Bob. 
f(a,m",{c, d}) {b} . 

2.3 Legal states 

Our goal is to analyze knowledge of agents after some email exchange took 
place. To this end we need to define a possible collection of sent emails. 

First of all, we shall assume that every message is used only once. In 
other words, for each message m there is at most one full version of m, 
i.e., an email of the form tub- The rationale behind this decision is that 
a sender of and m^' might equally well send a single email uibub'- 
This assumption can be summarized as a statement that the agents do not 
have 'second thoughts' about the recipients of their emails. It also simplifies 
subsequent considerations. 

In this work we have decided not to impose a total ordering on the emails 
in our model, for example by giving each email a time stamp. This makes 
the model a lot simpler. Also, many interesting questions can be answered 
without imposing such a total ordering. For example, we can investigate the 
existence of common knowledge in a group of agents after an email exchange 
perfectly well without knowing the exact order of the emails that were sent. 

However, we have to impose some ordering on the sets of emails. For 
example, we need to make sure that the agents only send information they 
actually know. Moreover, a forward can only be sent after the original email 
was sent. We will introduce the minimal partial ordering that takes care of 
such issues. 

First, we define by structural induction the factual information FI{m) 
contained in a message m as follows: 



Informally, the factual information is the set of notes which occur somewhere 
in the message, including those occurring in forwarded messages. 



FI(s(i,l,G)) 
FI(f(i,l.m,G)) 



FI{m) U {I}. 
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We will use the concept of a state to model the effect of an email ex- 
change. A state s = (E, L) is a tuple consisting of a finite set E of emails 
that were sent and a sequence L = (Li, . . . , L n ) of sets of notes for all agents. 
The idea of these sets is that each agent i initially holds the notes in Lj. 
We use E s and L s to denote the corresponding elements of a state s, and 
L\, . . ., L n to denote the elements of L. 

We say that a state s = (E, L) is legal w.r.t. a strict partial ordering (in 
short, an spo) -< on E if it satisfies the following conditions: 

L.l: for each email f(i,l.m,G)B G E an email mc G E exists such that 
mc -< f(i, £.77i) G) £ and i G 5(m) U i?(m) U C, 

L.2: for each email s(i,1,G)b G E, where / Lj, an email mc G -E exists 
such that mc -< s(i,1,G)b, i G R(m) UC and £ G FI(m), 

L.3: for each email /(i, /.m', G)s G i?, where £ G" Lj, an email mc* G exists 
such that mc f(hl- m ',G)B, i G R(m') U C and £ G FI(m'). 

Condition Lfl] states that the agents can only forward messages they 
previously received. Conditions Lj2] and Lj3] state that if an agent sends a 
note that he did not initially hold, then he must have learnt it by means of 
an earlier email. 

We say that a state s is legal iff it is legal w.r.t. some spo. Given a 
legal state s, by its causality ordering we mean the smallest (so the least 
constraining) spo w.r.t. which s is legal. 

So a state is legal if every forward was preceded by its original message, 
and for every note sent in an email there is an explanation how the sender 
of the email learnt this note. 

3 Epistemic language and its semantics 

We want to reason about the knowledge of the agents after an email exchange 
has taken place. For this purpose we use a language £ of communication 
and knowledge defined as follows: 

ip ::= m \ i < m \ ->tp | if A \ Cq^P 

Here m denotes a message. The formula m expresses the fact that m has 
been sent in the past, with some unknown group of BCC recipients. The 
formula i < m expresses the fact that agent i was involved in a full version of 
the message m, i.e., he was either the sender, a recipient or a BCC recipient. 
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The formula Ccf denotes common knowledge of the formula (p in the group 
G. 

We use the usual abbreviations V, — > and and use Knp as an abbre- 
viation of Cnxip. The fact that an email with a certain set of BCC recipients 
was sent can be expressed in our language by the following abbreviation: 

itib ■■= m A ^ i < m A f\ ~^i<m 

i£S(m)UR(m)UB i£S(m)UR(m)UB 

Note that this formula expresses the fact that the message m was sent with 
exactly the group B as BCC recipients, which captures precisely the intended 
meaning of tub- 

We now provide a semantics for this language interpreted on legal states, 
inspired by the epistemic logic and the history-based approaches of [12] and 
[13j . For every agent i we define an indistinguishability relation ~j, where 
we intend s ~j s' to mean that agent i cannot distinguish between the states 
s and s'. We first define this relation on the level of emails as follows (recall 
that we assume that senders and regular recipients are not BCC recipients): 

m B ~i m' B , 

iff one of the following contingencies holds: 

(i) i G S(m), m = m! and B = B', 

(ii) i G R{m) \ S(m) and m = m', 
(hi) i G B fl B', and m = m', 

(iv) i S(m) U R(m) U B and i S(m') U J?(m') U 5'. 

Condition (i) states that the sender of an email confuses it only with 
the email itself. In turn, condition (ii) states that each regular recipient 
of an email who is not a sender confuses it with any email with the same 
message but possibly sent to a different BCC group. Next, condition (hi) 
states that each BCC recipient of an email confuses it with any email with 
the same message but sent to a possibly different BCC group of which he is 
also a member. Finally, condition (iv) states that each agent confuses any 
two emails in which he is not involved. 

Example 2. Consider the emails e := s(i,l,j)$ and e' := s(i, l,j)ik\- We 
have then e ^ e', e ~j e' and e e'. Intuitively, agent j cannot distinguish 
between these two emails because he cannot see whether k is a BCC recip- 
ient. In contrast, agents i and k can distinguish between these two emails. 
□ 
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Next, we extend the indistinguishability relation to legal states by defin- 
ing 

(E,L) ~( (E',L') 
iff all of the the following hold: 

• Li = L'i, 

• for any mg € E such that i € S(m) U R(m) U B there is £ E' 
such that mg ~j tub 1 , 

• for any mg/ € -E' such that i € 5(m) U R(m) U B there is mg € E 
such that mg ~j mg'. 

So two states cannot be distinguished by an agent if they agree on his 
notes and their email sets look the same to him. Since we assume that the 
agents do not know anything about the other notes, we do not refer to the 
sets of notes of the other agents. Note that ~j is an equivalence relation. 

Example 3. Consider the legal states s\ and S2 which are identical apart 
from their sets of emails: 

E S1 := {s(i,l, j)$,f(j,s(i,l, j),o) }, 

E S2 := {s(i,l,j) {k y,f(j,s(i,l,j),o) ?) ,f(k,s(i,l,j),o) < i l }. 

We assume here that I E L,,. The corresponding causality orderings 
clarify that in the first state agent i sends a message with proposition p to 
agent j and then j forwards this message to agent o. Further, in the second 
state agent i sends the same message but with a BCC to agent k, and then 
both agent j and agent k forward the message to agent o. 

From the above definition it follows that s± 7^ S2, s± ~j S2, s± 7^ S2 
and si 9^0 S2- For example, the first claim holds because, as noticed above, 
s (h l,j)<b 'A s (h hj){k}- Intuitively, in state s\ agent i is aware that he sent a 
BCC to nobody, while in state S2 he is aware that he sent a BCC to agent k. 
In turn, in both states s± and S2 agent j is aware that he received the message 
s(i,l,j) and that he forwarded the email f(j,s(i,l,j),o)^. Intuitively, in 
state S2 agent j does not notice the BCC of the message s(i, l,j) and is not 
aware of the email f(k,s(i,l,j),o)^. □ 

In order to express common knowledge, we define for a group of agents 
G the relation ~g as the reflexive, transitive closure of IJieG ~»- Then we 
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define the truth of a formula from our language in a state inductively as 
follows, where s = (E,L): 



s \= m 


iff 


3B : m B € E 




s \= i < m 


iff 


3B : vriB £ E and i € S(m) 


U R(m) U B 


S |= -i(f 


iff 


a V= <P 




s \= if A ip 


iff 


s = ip and s \= ip 




s \= C G <p 


iff 


s' \= ip for any legal state s' 


such that s ~g s' 



We say that <p> is valid (and often just write '(/?' instead of l (p is valid') 
if for all legal states s, s \= p. 

Even though this definition does not specify the form of communication, 
one can deduce from it that the communication is synchronous, that is, 
that each email is simultaneously received by all the recipients. Namely, 
the condition of the form € E present in the second clause implies 
that for every email ms the following equivalence is valid for all i,j € 
S(m) UR(m) U B: 

i < m <H> j < m. 

This means that in every legal state (E, L) either all recipients of the email 
tub received it (when € E) or none (when mg ^ E). 

However, it should be noted that the agents do not have a common 'clock' 
using which they could deduce how many messages have been sent. Also, 
there is no common 'blackboard' using which they could deduce how many 
messages have been sent by other agents between two consecutive messages 
they have received. 

The following lemma clarifies when specific formulas are valid. In the 
sequel we shall use these observations implicitly. 

Lemma 1. 

(i) m — > ml is valid iff m = m' or ml is part of the message m. 

(ii) m — > i < m! is valid iffiG S(m')UR(m') or for some note I and group 
G, f(i,l.m',G) is part of the message m. 

The second item states that m — > i m' is valid either if i is a sender 
or a receiver of m! (in that case actually i < m ! is valid) or i forwarded the 
message m! . The latter is also possible if i was a BCC receiver of m'. The 
claimed equivalence holds thanks to condition L(TJ 

Example 4. To illustrate the definition of truth let us return to Example [3l 
In state S2 agent j does not know that agent k received the message s(i,l,j) 
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since he cannot distinguish S2 from the state s\ in which agent k did not 
receive this message. So S2 (= ^Kjk ^ s(i,l,j) holds. 

On the other hand, in every legal state S3 such that S2 ~ G S3 both an 
email f(k,s(i,l,j),o)c and a 'justifying' email s(i,l,j)B have to exist such 
that s(i,p,j)s ~< f(k,s(i,l,j),o)c and k G -B. Consequently S3 |= 
s(i,l,j), so S2 |= i^o^ < s (hhj) holds, so by sending the forward agent k 
revealed himself to o as a BCC recipient. 

We leave to the reader checking that both $2 \= C^ jk s(i,l,j) and 
S2 |= _, C{j }A; s(i,l,j) holds. In words, agents k and o have common 
knowledge that agent k was involved in a full version of the message s(i, l,j), 
while the agents j and o don't. □ 

4 Common knowledge 

We now clarify when a group of agents acquires common knowledge of the 
formula expressing that an email was sent. This shows how we can use our 
framework to investigate epistemic consequences of email exchanges. 
Given a set of emails E and a group of agents A, let 

E A ■= {m B £E\A<Z S{m) U R(m) or 3j G B : (A C S(m) U {j})}. 

When e 6 Ea we shall say that the email e is shared by the group A. 
Note that when \A\ > 3, then e G E A iff A C 5(m) U J?(m). When |A| = 2, 
then e £ E?a also when 3j £ B : A = S(m) U {j}, and when \A\ = 1, then 
e G -Ea also when ^4 = S(m) or 3j G i? : ^4 = {j}. 

The following theorem summarizes our results. 

Main Theorem Consider a legal state s = (E, L) and a group of agents A. 

(i) s \= CA m iff there is m' B , G Ea such that m' — > m is valid, 
(ii) Suppose that |.A| > 3. Then s |= Cattib iff the following hold: 
CI ^3 = S'(m) U R{m) U 5, 

C2 for each i £ B there is m^, G -Ea such that m' — >• i m is valid, 
C3 there is m^/ G Ea such that m' — > m is valid. 

In words, s |= Cavhb iff 

• the email mg involves all agents, 
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• for every agent i that is on the BCC list of there is an email shared 
by the group A that proves that i forwarded message m, 

• there is an email shared by the group A that proves the existence of 
the message m. 

The first of the above three items is striking and shows that common knowl- 
edge of an email is rare. 

As an aside let us mention that there is a corresponding result for the 
case when \A\ < 3, as well. However, it involves a tedious case analysis 
concerning the possible relations between A, S(m),R(m) and B, so we do 
not present it here. 

Re: Example [TJ 

We can use the above result to answer the question posed in Example [H 
Let s be the state whose emails consist of the considered four emails, so 

e := 77i0, where m := s(c, I, {a, d}), 
e' := Trig, where m! := f(a,m,b), 
e" := "i{ a }) where m" := f(b,m', {c, d}), 
f(a,m",{c, d}) {b} . 

Alice's set of notes in s consists of / while the sets of notes of Bob, Clare 
and Daniel are empty. Note that s is legal. We have then 

s V 1 C {aM4} f{b,m',{c,d}) {a} . 

The reason is that condition C2 does not hold since no email shared by 
{a,b,c,d} exists that proves that Alice received m" . In contrast, 

s h c {a,c,d}f(b, m',{c,d}) {a} 

does hold, since the email /(a, m", {c, a!})/^} is shared by {a, c, d}. Further, 
if Alice used the forward /(a, m" , {b, c, d})®, then condition C2 would hold 
and we could conclude for this modified state s' that 

s ' h C{o,6,c,d}/(^ ™>',{c,d}) {a} . 

5 Proof of the Main Theorem 

We establish first a number of auxiliary lemmas. We shall use a new strict 
partial ordering on emails. We define 

77i b < m' B , iff 777 7^ ml and ml — > m. 
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Note that m' — > m precisely if m' is a forward, or a forward of a forward, 
etc, of m. Then for two emails uib and from a legal state s with 
the causality ordering mg < implies -< mgi on the account of 
condition L(TJ However, the converse does not need to hold since tub <mB' 
can hold on the account of Lj2] or Lj3l Further, note that the <-maximal 
elements of E are precisely the emails in E that are not forwarded. 

Given a set of emails E and E' C E we then define the downward 
closure of E' by 

:= E' U {e G £ | 3e' G : e < e'}. 

The set of emails E on which the downward closure of E' depends will always 
be clear from the context. 

Next, we introduce two operations on states. Assume a state (E, L) and 
an email ms G E. 

We define the state 

with 

L; 



s\m B := (E\ {m B },L'), 




if i G i2(m) U B 
otherwise 

Intuitively, s\rriB is the result of removing the email m b from the state 
s, followed by augmenting the sets of notes of its recipients in such a way 
that they initially already had the notes they would have acquired from mg . 
Note that s\m<B is a legal state if tub is an <-maximal element of E. 

Next, given C C B we define the state 

s[m B ^c] ■= (E \ {m B } U {m c }, L'), 

with 

L': = 



Li U FI(m) if ieB\C 
Li otherwise 



Intuitively, s[rriB^c} is the result of shrinking the set of BCC recipients 
of m from B to C, followed by an appropriate augmenting of the sets of 
notes of the agents that no longer receive m. 

Note that s [rriB^c] is a legal state if there is no forward of m by an 
agent i G B\C, i.e., no email of the form f(i, l.m, G)d exists in E such that 
ieB\C. 

We shall need the following lemma that clarifies the importance of the 
set Ea of emails. 
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Lemma 2. Consider a legal state s = (E, L) and a group of agents A. Then 
for some L' the state s' := ((Ea)<, L') is legal and s ~a s' . 

Proof. We prove that for all <-maximal emails G E such that tub $ Ea 
(so neither A C S(m) U R(m) nor 3i G B : (AC S(m) U {i})) we have 
s ~a s\niB- Iterating this process we get the desired conclusion. 

Suppose tub is a <-maximal email in E such that ms g" Ea- Take 
some j G A \ (S(m) U R(m)). Suppose first j g" £?. Then s ~j s \ ms so 

s~as \ nifi. 

Suppose now j G S. Define 

si := s[ m BH{j}]' 
Then si is a legal state and s ~j si. Next, define 

s 2 : = s[m 5h+ j]. 

Now take some k G A\(5(m)U{j}). Then si S2 ~j s\m,B so s ~^ s\m,B- 
Note that both si and S2 are legal states since is <-maximal. □ 

Using the above lemma we now establish two auxiliary results concerning 
common knowledge of the formula i m or of its negation. 

Lemma 3. 

(i) s \= Cai <m iff 3m' B G Ea ■ (m' — >• i M m) 

or (A C S(m) U {i} and 3m B G E A : (i G B) ). 

(ii) s \= CA^i <miffs\=^i<m and (A C S(m) U {i} or s \= C^-im). 

To illustrate various alternatives listed in (i) note that each of the fol- 
lowing emails in E ensures that s \= Cfjyi -4 m, where in each case m is the 
corresponding send message: 

s(i, I, G) {j} ,f{k, q.s(i, I, G),H) {j} , 
s{kj,i) {j} , f{i,q.s{k,l,G),H) {j} , s{j,l,G) {i} . 

The first four of these emails imply s (= Cij\i < m by the first clause of (i), 
the last one by the second clause. 

Proof, (i) (=>) Suppose s \= Cai < m. Take the legal state s' constructed 
in Lemma El Then s ~a s' , so s' (= i -4 in. 

Hence for some group B we have tub G (Ea)< and i G S(m) L)R(m)L)B. 
Three cases arise. 
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Case 1. i G S(m) U R(m). 

Then m — >• i m. So if G Ea, then the claim holds. Otherwise 
some email m' B , G Ea exists such that mg < m' B ,. Consequently m! — > m 
and hence m' — > i m. So the claim holds as well. 

Case 2. i S(m) U J?(m) and ^ C S(m) U {i}. 

Then i £ B since i G £(m) U R(m) U -B. Then by the definition of Ea, 
tub G -Ea so the claim holds. 

Case 3. i 5(m) U i?(m) and ->(A C S(m) U {i}). 

If for some note £ and groups G and C we have f(i,l.m,G)c G (Ea)<, 
then either f(i, l.m, G)c G Ea or for some m' B , G £U we have f(i, l.m, G)c < 
m' B ,. In the former case we use the fact that the implication f(i, l.m, G) — > 
i < m is valid. In the latter case m' — > f(i, l.m, G) and hence m' — > i < m. 
So in both cases the claim holds. 

Otherwise let s" = s'[m Bh ^ B my]. Note that s" is a legal state because i 
does not forward m in s'. Take some j E A\ (S(m) U {i}). Then s' ~j s", 
so s ^a s". Moreover, s" \= < m, which yields a contradiction. So this 
case cannot arise. 

( ) The claim follows directly by the definition of semantics. We provide 
a proof for one representative case. Suppose that for some email m' B E Ea 
both A C S(m') U R(m') and m' — > i < m. Take some legal state s' such 
that s ^a s'. Then for some group B' we have m' B , G E s i. So s' \= m! and 
hence s' \= i < m. Consequently s \= Cai < m. 

(ii) Let s = (E, L). 

( => ) Suppose s \= Ca^i < m. Then s \= -ti M m. Assume A % S{m) U {i} 
and s \/= CA~^fn- Then there is some legal state s' = (E 1 , L') such that 
s ~a s' and s' \= m. Then there is some group B such that m# G £". Let 
j E A\(S{m) U {*}) and let s" = (E' \ {m B } U {m Bu{i} }, L'). Then s' s" 
so s ~a s". But s" \= i < m which contradicts our assumption. 

( <= ) Suppose that s \= ->i < m and either A C 5(m) U {i} or s |= Ca^tti. 
We first consider the case that A C 5(m) U {«}. Let s' be any legal state 
such that s ^a s'. Assume s' \= i < m. Then ms G -Ey for some group 
B such that i £ B. Since A C S(m) U {i}, any legal state s" such that 
s' ~a s" contains an email mc G £7 S » for some group C such that i G C. So 
s" |= ^ A m. In particular, this holds for the state s, which contradicts our 
assumption. So s' \= ^s{i,n,G) and hence s \= CA^s{i,n,G). 

Now we consider the case that s \= CA^m- Let s' be such that s ~a s'. 
Then s' \= —>m. Since i < m — > m is valid, we get s' \= —>i < m. So 
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s \= Ca^i < m. 



□ 



□ 



We are now ready to prove the Main Theorem. 
Proof (i) ( => ) Suppose s \= Catti- Take the legal state s' constructed 
in Lemma [2j Then s ~^ s' , so s' \= m. So for some group B we have 
m B G (E A )<- 

Hence either £ Ea or some email m' B , G Ea exists such that < 
m' B ,. In both cases the claim holds. 

( -<= ) Suppose that for some email m' B G Ea we have m! — \ m. Take some 
legal state s' such that s ~a s'. Then by the form of Ea and the definition 
of semantics for some group B' we have m' B , € E s i. So s' \= m' and hence 
s' \= m. Consequently s \= Ca^- 

(ii) By the definition of mg, the fact that the Ca operator distributes over 
the conjunction, part (i) of the Main Theorem and Lemma [3] we have 

s |= C A m B iff C3-C6, 

where 

C4 AieS(m)uR(m)uB i( A Q $( m ) U {i} and 3B' : (m B > G and » G S')) or 
3m^, G : ("i' — > i < m)), 

C5 Ai?s(m)uR(m)uB ( A ^S(m)U {i} or s \= C A ^m), 

C6 s\= AigS{m)UR(m)UB ^ * m - 

( ^> ) Suppose s \= Ca^b- Then properties C3-C6 hold. But \A\ > 3 and 
s \= Catu imply that no conjunct of C5 holds. Hence property CI holds. 

Further, since \A\ > 3 the first disjunct of each conjunct in C4 does not 
hold. So the second disjunct of each conjunct in C4 holds, which implies 
property C2. 

( 4= ) Suppose properties C1-C3 hold. It suffices to establish properties 
C4-C6. 

For i G S(m) U R{m) we have m —¥ i < m. So C2 implies property C4. 
Further, since CI holds, properties C5 and C6 hold vacuously. □ 

6 Analysis of BCC 

In our framework we built emails out of messages using the BCC feature. So 
it is natural to analyze whether and in what sense the emails can be reduced 
to messages without BCC recipients. 
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Given a send email s(i,1,G)b, where B = {ji, we can simulate 

it by the following sequence of messages: 

s{i, I, G),f(i, s(i, I, G),ji), . . .,f(i, s(i, I, G),j k ). 

Analogous simulation can be formed for the forward email f(i,l.m,G)B- 
At first sight, it seems that this simulation has exactly the same epistemic 
effect as the original email with the BCC recipients. In both states, agents 
ji , . . . , jk receive a copy of the message and only each of them separately and 
the sender of the message are aware of this. However, there are two subtle 
differences. 

First of all, there is a syntactic difference between message that agents 
ji, . . receive in the original case and in the simulation. In the original 
case they receive exactly the message m, and in the simulation they receive a 
forward of it. This also means that if they reply to or forward the message, 
there is a syntactic difference in this reply or forward. This difference is 
purely syntactic and does not essentially influence the knowledge of the 
agents, even though it clearly influences the truth value of the formula j < m 
which is true for j € {ji, . . ., j^} in the original case but not in the simulation. 

The second difference is more fundamental. If agents j\, . . ., jk are BCC 
recipients of m and they do not send a reply to or a forward of m, then each 
of them can be sure that no other agent but the sender of m knows he was 
a BCC recipient. Indeed, in our framework there is no message the sender 
of m could send to another agent, that expresses that agents ji, ■ ■ - ,jk were 
the BCC recipients of m. 

In the case of the simulation however, these recipients do not receive a 
BCC but a forward. Since these forwards may have additional BCC recip- 
ients of which agents ji, ■ ■ - ,jk are unaware, they cannot be sure that the 
other agents do not know that they received a forward of the message. Fur- 
thermore, the sender of m could also forward the forward he sent to ji, . . ., jk 
without informing them about it, thus also revealing their knowledge of m. 

A concrete example that shows this difference is the following. 

Example 5. Let 

£ S = HU,2) {3} }. 

Then s \= K^K2K^s{l,l,2), that is, agent 3 is sure that agent 2 does 
not know about his knowledge of the message s(l,l, 2). A simulation of 
this email without a BCC recipient would result in the state t with (we 
abbreviate here each email m$ to m) 

E t = {s(l,l,2)J(l,s(l,l,2),3)}. 
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Now consider a state t' with: 

E t , = { S (l,/,2),/(l, S (l,/,2),3),/(l,/(l,s(l,/,2),3),2)}. 

Clearly t ~ 3 t' and if \= K 2 K 3 s(l, I, 2). This shows that t \£ K 3 ^K 2 K 3 s{l, I, 2). 
□ 

This argument can be made more general as follows. Below, in the 
context of a state we identify each message m with the email m^. Then we 
have the following result. 

Theorem 6. Take a legal state s = (E, L), an email tub £ E and an agent 
j £ B such that E does not contain a forward of m by j or to j. Then 
for any set of messages M such that (M, L) is a legal state we have for any 
agent k S(m) U {j} 

s \= Kjin A Kj^K^Kjin, 

while 

(M, L) ^ Kj-m A Kj^K k Kjm. 

Proof. Agent j is a BCC recipient of m in s, so by the definition of the 
semantics s \= Kj-m. We will first show that s \= Kj^KkKj-m. Take some 
state t such that s ~j t. Then by the definition of the semantics there is some 
group C such that mc £ E t and j £ C. Suppose that m is a send email, 
say m = s(i,l,G). For the case that m is a forward email the reasoning is 
analogous. Let u be the state like t, but with 

E u = Et\{s(i, I, G) c } U {s(i, I, G) c \ {j} ,s{i, /, j)}. 

Note that we implicitly assume that no full version of s(i,l,j) is already 
present in Et. If there were such a full version, we could do the same 
construction without adding s(i,l,j) to E t . 

Since there are no forwards of m by j or to j in E, and s ~j t, there 
are no forwards of m by j or to j in Et. This shows that u is a legal state 
and that there are no forwards of m to j in E u so u ty= Kj-m. Clearly, for 
any k £" S(m) U {j} we have t ~fc u. So t \/= K^Kjim, which shows that 
s \= Kj^KkKjm. 

Take now any set of messages M such that (M, L) is legal and suppose 
(M, L) |= Kjin. Then by the Main Theorem there is some message m! 
in which agent j was involved that implies that message m was sent. By 
the requirements on the legal states we know that there is such a message 
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m! of which agent j was a recipient, and not the sender, since agents can 
only send information they initially knew or received through some earlier 
message. Since there are no BCC recipients in M, we conclude that agent j 
is a regular recipient of m! that he received from some other agent and that 
m' — > m is valid. 

Define the set of messages M' by 

M' := M U {f(S(m'), m , k)}. 

Note that (M',L) is a legal state, and (M',L) |= K^m! . Since j is a 
regular recipient of m', m! — > Kjm' is valid and since m! —¥ m is also 
valid this implies that (M',L) |= K^Kj-m. Also, since j is not involved in 
f(S{m'),m',k), (M,L) ~j (M',L). This shows that (M,L) ^ Kj^K k Kjm. 
In view of our assumption that (M, L) |= Kjm we conclude that (M, L) \/= 
Kjm A Kj^K^Kjra. □ 

In this theorem we assume that for the BCC recipient j of the message m 
there are no forwards of m to j or by j. The theorem shows that under these 
assumptions, s and (M, L) can be distinguished by an epistemic formula 
concerning the message m. We will now show that these assumptions are 
necessary. 

Example 7. Take a legal state s = (E, L) with 

£ = { S (1,Z,2) {3} ,/(2, S (1,Z,2),3)} 

and 

M = { S (l,/,2),/(l, S (l,/,2),3),/(2,s(l,/,2),3)}. 

We can see that (M, L) is a perfect BCC-free simulation of s: for any formula 
cp that holds in s, if we replace the occurrences of 3 -4 s (1,1,2) in ip by 
/(l, s(l, Z, 2), 3) then the result holds in (M, L). The reason that we can 
find such a set M is that in E there is a forward of s{\, I, 2) to agent 3. This 
reveals the "secret" that agent 3 knows about s(l, 1,2) and then the fact 
that agent 3 was a BCC recipient of s(l,l,2) is no longer relevant. 

Example 8. A similar example shows the importance of the assumption 
that there are no forwards by a BCC recipient. Take a legal state s = (E, L) 
with 

E = {s(l,l,2) {3} ,f{3,s(l,l,2),2)} 

and 

M = { S (l,/,2),/(l, S (l,Z,2),3),/(3,/(l,s(l,/,2),3),2)}. 
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Again, for any formula (p that holds in s, if we replace the occurrences of 
3 < s(l,/,2) in <p by /(l, s(l, 1, 2), 3) then the result holds in (M,L). Now 
the reason is that agent 3 informed agent 2 that he was a BCC recipient of 
s(l,Z,2) in s by sending a forward of this message, so again the fact that 
agent 3 knows s(l,Z,2) is not secret anymore. 

It is interesting to note that the impossibility of simulating BCC by 
means of messages is in fact caused by our choice of uninterpreted notes as 
the basic contents of the messages. If our framework allowed one to send 
messages containing more complex information, for example a formula of 
the form j < m, the sender of m could have informed other agents who were 
the BCC recipients. Then in Example [5] we could consider a state s' with 

E s , = {s(l,n,2) {3} , S (l,3 < fl (l,n,2),2)}. 

By appropriately extending our semantics we would have then s ~3 s' and 
s' \= i^2^3s(l, re, 2), and hence s \£ K^K2Kss(l,n,2), so the difference 
between the above two states s and t would then disappear. We leave an 
analysis of this extension of our framework and the role of BCC in this 
extended setting as future work. 

7 Email exchanges 

In this section we provide a characterization of the notion of a legal state 
in terms of email exchanges. In this setting emails are sent in a nondeter- 
ministic order, each time respecting the restrictions imposed by the legality 
conditions LQ]- L[3]of Subsection 12.31 

We define first an operational semantics in the style of [13], though with 
some important differences concerning the notions of a program state and 
the atomic transitions. Let M be the set of all messages (so not emails). By 
a mailbox we mean a function a : Ag— > V{M)\ o~(i) is then the mailbox of 
agent i. If for all i we have o~q{i) = 0, then we call <jq the empty mailbox. 
A configuration is a construct of the form < s,o~ >, where s is a legal 
state and a is a mailbox. 

Atomic transitions between configurations are of the form 

< s,a > -4 < s',a' >, 

where 

• s := (Eli){m B },L), 
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• s f := (E,L), 

• for j E Ag 




a(j) U {m} if j E R(m) U S(m) U £ 
<r(j) otherwise 



We say that the above transition processes the email mg. This takes 
place subject to the following conditions depending on the form of m, where 
h=(Lx,...,L n ): 

• send m = s(i, I, G). 

We stipulate then that I E Li or for some ml E a(i) we have I E 
FI{m'). In the second case of the second alternative we say below 
that m depends on m! . 

• forward m = f(i, l.m', G). 

We stipulate then that m! € cr(i), and / E Li or for some m" E a(i) 
we have / E FI(m"). 

In the case of the first alternative we say below that m depends on 
m! and in the case of the second alternative that m depends on m! 
and m" . 

Given a legal state s an email exchange starting in s is a maximal 
sequence of transitions starting in the configuration < s,o"o >, where do is 
the empty mailbox. An email exchange properly terminates if its last 
configuration is of the form < s',t >, where s' = (0, L). 

Note that messages are never deleted from the mailboxes. Further, ob- 
serve that in the above atomic transitions we augment the mailboxes of the 
recipients of (including the BCC recipients) by m and not by m#. So 
the recipients of ms only 'see' the message m in their mailboxes. Likewise, 
we augment the mailbox of the sender by the message m and not by mg. 
As a result when in an email exchanges a sender forwards his own email, the 
BCC recipients of the original email are not shown in the forwarded email. 
This is consistent with the discussion of the emails given in Subsection 12.21 

Observe that from the form of a message m in the mailbox a(i) we can 
infer whether agent i received it by means of a BCC. Namely, this is the 
case iff i ^ R(m) U S(m). (Recall that by assumption the sets of regular 
recipients and BCC recipients of an email are disjoint.) 

The following result then clarifies the concept of a legal state. 
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Theorem 9. The following statements are equivalent: 
(i) s is a legal state, 

(ii) an email exchange starting in s properly terminates, 
(Hi) all email exchanges starting in s properly terminate. 

The equivalence between (i) and (ii) states that the property of a legal 
state amounts to the possibility of processing all the emails in an orderly 
fashion. 

Proof. Suppose s = (E,L). 

(i) =4> (ii). Suppose s is legal w.r.t. an spo -<;. Extend -< to a linear ordering 
-<i on E. (Such an extension exists on the account of the result of |16j.) By 
the definition of the atomic transitions we can process the emails in E in 
the order determined by The resulting sequence of transitions forms a 
properly terminating email exchange starting in s. 

(ii) =^ (ra). Let ^ be a properly terminating email exchange starting in 
s and £' another email exchange starting in s. Let be the first email 
processed in £ that is not processed in The final mailbox of £' contains the 
message(s) on which m depends on, since their full versions were processed 
in £ before mg and hence were also processed in So can be processed 
in the final mailbox of i.e., £' is not a maximal sequence. This is a 
contradiction. 

(Hi) =>■ (ii). Obvious. 

(ii) =4> (i). Take a properly terminating email exchange £ starting in s. For 
two emails e±,e2 £ E let e\ -< e2 iff e\ is processed in £ before e%. By the 
definition of the atomic transitions s is legal w.r.t. -<. □ 

8 Conclusions and future work 

Email is by now one of the most common forms of group communication. 
This motivates the study here presented. The language we introduced al- 
lowed us to discuss various fine points of email communication, notably for- 
warding and the use of BCC. The epistemic semantics we proposed aimed at 
clarifying the knowledge-theoretic consequences of this form of communica- 
tion. Our presentation focused on the issue of common knowledge allowed 
us to determine when a group of agents has a common knowledge of an 
email. 
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This framework also leads to natural questions concerning axiomatiza- 
tion of the introduced language and the decidability of its semantics. Cur- 
rently we work on 

• a sound and complete axiomatization of the epistemic language £ of 
Section O at this stage we have such an axiomatization for the non- 
epistemic formulas, 

• the problem of decidability of the truth definition given in Section O 
at this stage we have a decidability result for positive formulas, 

• a comparison of the proposed semantics with the one based on se- 
quences ('histories') of emails rather than partially ordered sets of 
emails. 

In our framework, as explained in Section [3l communication is syn- 
chronous. We plan to extend our results to the more general framework 
of [1], by assuming for each agent a time bound by which he reads his 
emails. 

Another extension worthwhile to study is one in which the agents com- 
municate richer basic statements than just notes. We already indicated in 
Section [6] that sending messages containing a formula % < m increases the 
expressiveness of the messages from the epistemic point of view. One could 
also consider in our framework sending epistemic formulas, a feature recently 
studied in a different setting in [To] . 
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